a44bdb59c442995641c6517be1bfb12bdb9fc786bff15d6e89a439287a514c76

General

Target

dbfbab21182b4238a1bc1498684337b5_JaffaCakes118.exe
Size

718KB
MD5

dbfbab21182b4238a1bc1498684337b5
SHA1

22d9bf08ad7ecc8ef233a4ee4da9a1d3293d5fcd
SHA256

a44bdb59c442995641c6517be1bfb12bdb9fc786bff15d6e89a439287a514c76
SHA512

b54a48baa9c9d75d79891ae6131fc58852dce31634baddb63ccf893a4625930bd48a4220b4de1dc927d083af86ed2afdb3a09125c2e9d37e65285b2de9f01f19
SSDEEP

6144:EM/in98C/WvBJIzvGO8QC2V68nVG2CPRgLXM+1mq7kycl8dk3LNr6XoRDae8N5Y4:NC98CQnmGl2d+gL8+13gyc6EZou+AQD

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2952	ShopAtHome_Toolbar_Installer.exe
2864	SelectRebatesDownload.exe

Loads dropped DLL 3 IoCs

pid	Process
2604	dbfbab21182b4238a1bc1498684337b5_JaffaCakes118.exe
2604	dbfbab21182b4238a1bc1498684337b5_JaffaCakes118.exe
2604	dbfbab21182b4238a1bc1498684337b5_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\SelectRebates\SelectRebatesDownload.exe	ShopAtHome_Toolbar_Installer.exe
File opened for modification	C:\Program Files (x86)\SelectRebates\SelectRebatesDownload.exe	ShopAtHome_Toolbar_Installer.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\	ShopAtHome_Toolbar_Installer.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbfbab21182b4238a1bc1498684337b5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ShopAtHome_Toolbar_Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SelectRebatesDownload.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2604	dbfbab21182b4238a1bc1498684337b5_JaffaCakes118.exe
2604	dbfbab21182b4238a1bc1498684337b5_JaffaCakes118.exe
2604	dbfbab21182b4238a1bc1498684337b5_JaffaCakes118.exe
2604	dbfbab21182b4238a1bc1498684337b5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2952	2604	dbfbab21182b4238a1bc1498684337b5_JaffaCakes118.exe	29
PID 2604 wrote to memory of 2952	2604	dbfbab21182b4238a1bc1498684337b5_JaffaCakes118.exe	29
PID 2604 wrote to memory of 2952	2604	dbfbab21182b4238a1bc1498684337b5_JaffaCakes118.exe	29
PID 2604 wrote to memory of 2952	2604	dbfbab21182b4238a1bc1498684337b5_JaffaCakes118.exe	29
PID 2604 wrote to memory of 2952	2604	dbfbab21182b4238a1bc1498684337b5_JaffaCakes118.exe	29
PID 2604 wrote to memory of 2952	2604	dbfbab21182b4238a1bc1498684337b5_JaffaCakes118.exe	29
PID 2604 wrote to memory of 2952	2604	dbfbab21182b4238a1bc1498684337b5_JaffaCakes118.exe	29
PID 2604 wrote to memory of 2864	2604	dbfbab21182b4238a1bc1498684337b5_JaffaCakes118.exe	30
PID 2604 wrote to memory of 2864	2604	dbfbab21182b4238a1bc1498684337b5_JaffaCakes118.exe	30
PID 2604 wrote to memory of 2864	2604	dbfbab21182b4238a1bc1498684337b5_JaffaCakes118.exe	30
PID 2604 wrote to memory of 2864	2604	dbfbab21182b4238a1bc1498684337b5_JaffaCakes118.exe	30
PID 2604 wrote to memory of 2096	2604	dbfbab21182b4238a1bc1498684337b5_JaffaCakes118.exe	35
PID 2604 wrote to memory of 2096	2604	dbfbab21182b4238a1bc1498684337b5_JaffaCakes118.exe	35
PID 2604 wrote to memory of 2096	2604	dbfbab21182b4238a1bc1498684337b5_JaffaCakes118.exe	35
PID 2604 wrote to memory of 2096	2604	dbfbab21182b4238a1bc1498684337b5_JaffaCakes118.exe	35
PID 2096 wrote to memory of 2560	2096	iexplore.exe	36
PID 2096 wrote to memory of 2560	2096	iexplore.exe	36
PID 2096 wrote to memory of 2560	2096	iexplore.exe	36
PID 2096 wrote to memory of 2560	2096	iexplore.exe	36

C:\Users\Admin\AppData\Local\Temp\dbfbab21182b4238a1bc1498684337b5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dbfbab21182b4238a1bc1498684337b5_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Users\Admin\AppData\Local\Temp\ShopAtHome_Toolbar_Installer.exe
  C:\Users\Admin\AppData\Local\Temp\ShopAtHome_Toolbar_Installer.exe -t:"C:\Users\Admin\AppData\Local\Temp\Low\M4QBCTP8.exe" -d:"C:\Program Files (x86)\SelectRebates\SelectRebatesDownload.exe" -i:"C:\Users\Admin\AppData\Local\Temp\Low\G8K3FGIA.tmp"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2952
- C:\Program Files (x86)\SelectRebates\SelectRebatesDownload.exe
  "C:\Program Files (x86)\SelectRebates\SelectRebatesDownload.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2864
- C:\Program Files (x86)\internet explorer\iexplore.exe
  "C:\Program Files (x86)\internet explorer\iexplore.exe" "199.221.131.86/RequestHandler.ashx?MfcISAPICommand=installstatus&param=%00%01%01%00cIh8TWZadr7iiDTOi6Utcg07tcavA3WcY3TV323eREHrpox731DkCBZGfU0qqp228Xy0wsMSKPagey8hCWRuUpwJ4r9G2gTvhe5D6J9uMo4OBu8oZwQeYd_YO7VkKzr4X3uOBzJNEq67zZzZ3R5vrLEn62fcExm0WOkHAa_f_8t4jpdYLxDD4l6KYUKIMudg-wZFNjnV9T2lOCvt6ZS6xH7n7L-l7-tGvCgxYqLnd1mpBOmAsPkBEbs_YMmmtqbau9OFhjR9LRsGGu9nT4bRcyh7dW-DDbfcUSQXptZQka0LqdXscIps57T8A0bkbSuNLRY1vq9D1dROhQXy_UVpq0"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" "199.221.131.86/RequestHandler.ashx?MfcISAPICommand=installstatus&param=%00%01%01%00cIh8TWZadr7iiDTOi6Utcg07tcavA3WcY3TV323eREHrpox731DkCBZGfU0qqp228Xy0wsMSKPagey8hCWRuUpwJ4r9G2gTvhe5D6J9uMo4OBu8oZwQeYd_YO7VkKzr4X3uOBzJNEq67zZzZ3R5vrLEn62fcExm0WOkHAa_f_8t4jpdYLxDD4l6KYUKIMudg-wZFNjnV9T2lOCvt6ZS6xH7n7L-l7-tGvCgxYqLnd1mpBOmAsPkBEbs_YMmmtqbau9OFhjR9LRsGGu9nT4bRcyh7dW-DDbfcUSQXptZQka0LqdXscIps57T8A0bkbSuNLRY1vq9D1dROhQXy_UVpq0"
    3⤵
    PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Low\G8K3FGIA.tmp

Filesize
56B

MD5
d32cede39e8b41ffb8f4a30b6006f5f0

SHA1
e4ce679afab2abf9e586f5fc938685354b592eb1

SHA256
eb8e6cab79e6781b58f83a3fff33b520195eab2b2eeb748eec69e14e5a83c64b

SHA512
e2d1c360e077d2b1dbe100869b347967c132036210994ebfcccc7cfda6b894344df89622dbd8ea6e6fab7746f836817425c3920dffe67dabcd70ca05ff50ccd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\G8K3FGIA.tmp

Filesize
73B

MD5
1c1c50eb4f1f6b881054f3fadcebefdb

SHA1
19dfa7ddd3ba46f7ff55e08ee76e3b49030ac5eb

SHA256
020eb4c5f6b8d78b3739b7c3265d5d437e9353f19d0e727f31aa3edf88674c54

SHA512
87bb21b9cef8acd34cacef64931af222cc6afa3d2eeeef29628d131c90556d9a06df6c5b524a1a4c8d106c9004b5c553d8007578888b24e82097ab22b4297920

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\M4QBCTP8.exe

Filesize
169KB

MD5
589c85ad4b3fd73456f32eb9d58e2f9c

SHA1
95ce6284d38c8948ce30c4abf9b4b6ff60c9efe6

SHA256
dfe385206e3ba737636463b22501b801b88169af789424e8a33c3cf07a8b2235

SHA512
eefa14b37c7ecdfe95f9951a09d0c876a2c1bfd8b029869f8928bae2266ebb0a90e64e10e0781ec71638042eb5e88806a252e55176578e96de44ab5c17f25782

Download Submit
C:\Users\Admin\AppData\Local\Temp\ShopAtHome_Toolbar_Installer.exe

Filesize
185KB

MD5
6f859cb344a13169bfa611274ca70bd7

SHA1
f9109b10ceb1f248b59828a465098f96897bfe4b

SHA256
ac4f3c6d4484706c3a9f30739c4ad0165ee5ac17ea2ec5fbd59690ce758d60da

SHA512
3a8b0e62bf4c2ff15137119416ca90b4ffd0487991c88ee343fd9c5040b685ec6000b4c8c5a940c790a1a3927cfb3d4635876775b2086faadfb416dfa89ca5e7

Download Submit

Analysis

Sharing